Today, computer hackers employ many techniques and methods to invade computer networks, including the use of worms, exploits, viruses, and trojans. For the last few years the primary solution to these types of attacks has been the use of a firewall, which can be programmed with rules to detect potentially harmful transmissions. Firewalls, however, have been insufficient to protect computer networks from attack because no matter the size or complexity of a firewall, certain computer channels must be left open for authorized users to access Internet resources such as email and the world-wide web.
Because Firewalls have been insufficient to protect computer networks, Intrusion Detection Systems (IDS) were developed to detect attacks and inform the administrator of such attacks. IDSs, however, have been equally ineffective in stopping intrusions before they occur, because like Firewalls, they require human intervention. IDSs do not stop intrusions, and continuing intrusions are not stopped until the Administrator acts to intervene.
It would therefore be desirable to provide methods and an apparatus for blocking harmful transmissions automatically in real-time without the need for human intervention by a computer network administrator. It would also be desirable to provide methods and an apparatus to block, in real-time, transmissions from computer IP addresses that are the source of harmful transmissions. It would further be desirable for such a method and apparatus to combine several different types of analyses to detect and block harmful transmissions. Additional desirable features include a risk threshold that is programmable and/or which may be updated remotely and/or automatically; a database of signatures of harmful transmissions that contains up-to-date information concerning harmful payloads which may be updated remotely or automatically; a firewall for blocking harmful transmissions from certain IP address when it is determined that an attack is being made from a certain IP address, which is also pre-trained to block certain harmful transmissions as well as transmissions from certain IP addresses; a timer on the firewall to clear the harmful IP addresses after a determined time period; a system that can be used with an existing firewall; a system that can be used in a number of different configurations within an existing network to provide different types of security, such as security from outside attacks, security from internal attacks, and security from attacks made to an external network that originates from within the internal network.